Oyster Technology Lags Behind

LondonUnlockedEditor1 Comment

200806241044.jpgResearchers, giving evidence to the Dutch parliament, claim to have hacked London's Oyster cards.

Their research has allowed them to "clone" cards, alter the balance stored on there, and effectively shut down certain Tube entry gates, states business technology website, ZDNet:

Security experts called for TfL to upgrade the Mifare chips in April, after a series of Mifare cracks were publicised. "My understanding is there are now three [Mifare] cracks at least," Adam Laurie, an RFID and communications protocol security researcher and consultant, said in a keynote speech on RFID flaws at the Infosec 2008 conference. ...Laurie said he thought TfL, the body that runs the Oyster-card scheme, "ought to think about upgrading as soon as possible".

TechRadar also carries the story, noting that TfL's response has changed notably from the March answer of Oyster never having "been breached" to the current line of any rogue cards being picked up and blocked within 24 hours.

This development is particularly worrying given Mayor Johnson's stated plans to "Oysterise" the entire network by May 2009. The extension of the Oyster network to the outer zones and to train operating companies will provide far, far more entry points and a lessening of the security checks which central London offers.

We have already covered the privacy and contractual issues which arose over the introduction of the OnePulse credit/Oyster card. The next roll-out of Oyster will be watched even more closely. No doubt Barclays will be paying close attention to these developments, not wanting any product of theirs, the link however tenuous, to be 'hacked'. As the contractual agreement between the then-Mayor and Barclays remain unreleased, we do not know if TfL are liable should the Oyster component of those cards be hacked. If such contractual clauses do exist, the fallout could be substantial.

In an unrelated development, researchers are launching an open-source smart card project with far stronger security protocols than the current Oyster cards hold.

Two billion people across the globe use smart cards with the Mifare chip (the component which holds information in Oyster cards). TfL and the Mayor have a duty of care to protect Londoners' information, security, and to provide value for money. They must now evaluate the potential costs if the hacking of Oyster cards becomes systemic and weigh these against the value of upgrading to a more secure system.